HPE Community
Operating System - HP-UX
1836611 Members
3812 Online
110102 Solutions
New Discussion

Re: hp-ux pam/kerberos authenication to AD without modifying the AD schema

 
Peter Heinemann
Frequent Advisor

‎01-04-2006 07:38 AM

‎01-04-2006 07:38 AM

hp-ux pam/kerberos authenication to AD without modifying the AD schema

Anyone have a way to do this?

ldap-ux isn't a candidate, because my understanding is that it requires a modification to the AD schema.

The problem stems from the 8 character limit for account names under hp-ux; in some cases the AD account against which we would authenticate isn't identical to the Unix account (since AD allows more than 8).

Not an issue on our Linux systems as they permit accounts greater than 8 characters.

I'm wondering if there's any way within the pam/kerberos (or other) suite to map the ux username to the AD domain account, but do it outside of AD.
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎01-04-2006 08:02 AM

‎01-04-2006 08:02 AM

Re: hp-ux pam/kerberos authenication to AD without modifying the AD schema

Shalom Peter,

My understanding is that what you want to do does require modification of the AD configuration and schema.

You might want to test NIS on a Linux server and see if it allows longer user ID's.

I hate NIS but it might help you out of this circumstance.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎01-04-2006 08:30 AM

‎01-04-2006 08:30 AM

Re: hp-ux pam/kerberos authenication to AD without modifying the AD schema

Are you talking about Samba or general authentication?

For Samba, see my thread here:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=949365

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Peter Heinemann
Frequent Advisor

‎01-04-2006 08:37 AM

‎01-04-2006 08:37 AM

Re: hp-ux pam/kerberos authenication to AD without modifying the AD schema

Geoff --
general (login) authenication; specifically, ssh (e.g., ssh -l windowsaccount unixorlinuxhost)
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-04-2006 09:49 AM

‎01-04-2006 09:49 AM

Re: hp-ux pam/kerberos authenication to AD without modifying the AD schema

I'm afraid under those circumstances, some modification to the ADS server is required to accomodate HP-UX authentication.

Every document I ever read says so.

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fforums1.itrc.hp.com%2Fservice%2Fforums%2Fquestionanswer.do%253FthreadId%253D70242%26qt%3D%252BHP-UX%2B%252Bwindows%2B%2B%252BADS%2B%252Bintegration%2B%26hit%3D1&aid=SEARCH_FORUMS&pil=1&serStr=HP-UX+windows+ADS+integration&pir=1

http://www1.itrc.hp.com/service/james/dispDoc.do?docURL=http%3A%2F%2Fsearch.hp.com%2Fredirect.html%3Furl%3Dhttp%253A%2F%2Fdocs.hp.com%2Fen%2FB8725-90079%2Fch05s01.html%26qt%3D%2BHP-UX%2Bwindows%2BADS%2Bintegration%26hit%3D1&aid=SEARCH_MANUAL&pil=1&serStr=HP-UX+windows+ADS+integration

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Peter Heinemann
Frequent Advisor

‎01-05-2006 06:14 AM

‎01-05-2006 06:14 AM

Re: hp-ux pam/kerberos authenication to AD without modifying the AD schema

Turns out there is a way to do the mapping -- one of our folk found it and got it to work today. Here's his writeup:

I successfully configured the PAM_NTLM to authenticate to the AD domain. I believe PAM_NTLM is specific to HP-UX, so a parallel solution for Linux would still need to be considered. PAM_NTLM was already installed on the test server I was working on.

High-level overview:
- A user account must be created on the HP-UX server which must be <= 8 characters (ie 'caldwell').

- A password must be set on this account for SSH to work, though this is not the case for telnet.

- A [HP-UX <-> AD] mapping file must be updated to associate a specific HP-UX account with a specific Active Directory user. The location of this mapping file is configured in smb.conf. In the test server, it's set to /etc/opt/cifsclient/pam/domain_user.map. The following is the entry in domain_user.map which is used to map my 'unix' account to domain\adaccount, e.g:

uxname = \\domain\\longeradname

He adds the following note:

Because of the way PAM would be configured ('sufficient' for pam_ntlm and 'required' for pam_unix) the PAM_NTLM module will give up after three unsuccessful password attempts, after which PAM sends the request to the next module in the stack - PAM_UNIX - to process the authentication request. In short, this means that one will still be able to authenticate using their HP-UX password if NTLM fails three times.
0 Kudos
Reply
Peter Heinemann
Frequent Advisor

‎01-23-2006 07:48 AM

‎01-23-2006 07:48 AM

Re: hp-ux pam/kerberos authenication to AD without modifying the AD schema

One (very important) update, for anyone else considering this approach. Summary below from a long exchange w/ HP engineering.
Quote:

"after the 3.71 ssh software the "ChallengeResponseAuthentication" code was modified. They [WTEC] believe if you upgrade to a later version like 4.20 (which is something they would support since 3.71 is a older version) [you should ] change the sshd_config to indicate ChallengeResponseAuthentication no ( you will need to uncomment this since it is commented out in your sshd_config file and change to no)"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.